New "Alice" Malware Makes ATMs Spit Out Cash

In November 2016, Europol and Trend Micro discovered a new breed of malware that targets ATMs and enables crooks with physical access to the machine's ports to make an ATM spit out cash.

Nicknamed Alice based on the name given to the malware's binary by its creator (Project Alice), researchers found evidence that this malware has been going around since 2014.

Thieves need access to ATM ports

The way crooks use Alice is by getting access to one of the ATM's USB or CD-ROM slots, in order to load the malware on the device, and later connect a keyboard so they could interact with its software.

ATMs, which in most cases are stripped down computers running Windows XP, would allow the crooks to use the keyboard to launch the malware into execution.

At this stage, attackers would need to enter a PIN (access code, unrelated to payment card PINs) in order to start the malware.

This PIN plays the role of a self-protection system that prevents bank personnel from inspecting the binary, in case they ever found it.

Additionally, as Alice would be dispensed to low-level money mules, the PIN would also serve as an affiliate ID, allowing cyber-crime gangs to monitor who used Alice and where, and if any of the money mules was dishonest and shared the malware with other groups in other areas of the globe.

Alice has only one feature

After entering this PIN, Alice springs into execution. Unlike other ATM malware families, which come with a multitude of features that allow crooks almost full control over the ATM, Alice has only one component.

According to Trend Micro, this component connects the malware's process to the ATM's cash dispenser module and brings up a window like the one below.

ATM banknote invetory table [Source: Trend Micro]

In a real-life ATM, the table would show information on the number of banknotes for each bill size. The attacker would use the keyboard to order the ATM to dish out cash, while keeping an eye on its content.

Since most ATMs are limited to 40 bills per withdrawal, the attacker would need to repeat this operation a couple of times.

Alice includes RDP support, but it was never used

It is worth mentioning that Alice also includes the option for crooks to connect via a remote RDP (Remote Desktop Protocol) connection to targeted ATMs, but Europol and Trend Micro researchers say they never saw this feature used.

The reason might be because the attacker would need to know the ATM's RDP password, or carry out a very noisy brute-force attack in order to guess it.

ATM malware has been around for nine years, with the first variants being detected back in 2007.

Currently, ATM malware can fall in one of two categories, or both: ATM malware that lies hidden and collects payment card data, logs it, and sends it to crooks; and malware that allows attackers to send real-time commands to the ATM.

Alice is different from other ATM malware families

Alice falls into the second category but is very different from fellow ATM malware families such as RIPPER, SUCEFUL, or GreenDispenser.

All of the above are controlled via the ATM's numbers pad (PIN pad). Alice is not. The reason is that its creators didn't waste their time coding the component that ensures communications between the malware and the PIN pad, and only focused on the module that matters, the one that dishes out cash.

The presence of one component could also mean that Alice's creators aren't as experienced as other malware crooks, or they've decided that collecting payment card data and then reselling it online is just too time-consuming, and focused on getting access to cash instead, cutting down from the complexity of their criminal network.

With over 432,000 ATMs installed worldwide, the ATM malware scene is a very lucrative sector that offers immediate results. Expect the explosion of ATM malware families that started three years ago to continue in 2017.

Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.